Sophos Demands Facebook Make Security, Privacy Default Settings

Sophos asks Facebook to start thinking about protecting its users by enabling default privacy and security features and not requiring them to opt out of information sharing.

Web security firm Sophos has posted an open letter to Facebook taking the social networking giant to task for its ongoing safety and privacy issues.

Sophos security experts outlined three steps Facebook should take to better protect its users and improve overall data security in a post on the company's Naked Security blog. Facebook needs to enable privacy and HTTPS by default and start vetting applications that appear on the site, wrote Graham Cluley, a Sophos senior technology consultant, on April 18.

Several Sophos security researchers regularly address the latest malicious Facebook apps and privacy missteps on Naked Security. Many of the scams are reported by the victims themselves, according to Cluley.

Users frequently ask, "Why doesn't Facebook do more to protect us?" said Cluley in the letter.

Privacy needs to be enabled by default, and Facebook has to stop sharing information without users' express agreement, Cluley wrote. If users want to take advantage of the latest feature or get the partner information, they should be encouraged to opt in, instead of having to manually opt out, according to the letter.

Back in January, Facebook announced that developers would be able to collect users' addresses and mobile phone numbers if users added the developers' application. After a storm of protest, the company backed down and "temporarily" suspended the policy.

"Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on," Cluley said.

When Facebook rolled out HTTPS for users, many security experts, including Cluley, approved the move, However, Facebook should have turned it on by default so that all the users are automatically protected, Cluley said. Without the data being encrypted by default, users are at risk of losing personal information to cyber-attackers.

"Worse, you only commit to provide a secure connection -whenever possible,'" Cluley said, noting that Facebook should enforce a secure connection all the time for all users by default.

Some users had their network traffic rerouted through Korea and China before hitting Facebook servers in March. It's still unclear why that happened, but that's a lot of unencrypted user data passing through unknown and potentially malicious servers. Users with HTTPS enabled on their accounts had less cause for worry, as their traffic was encrypted.

Facebook should also start vetting developers and applications before allowing them on Facebook, according to the letter. "It is far too easy to become a developer on Facebook," Cluley said. Facebook should be setting up a way to vet and approve third-party developers before they publish applications designed to be accessed from Facebook, he said.

Considering there are more than 1 million developers registered on the platform, it is "hardly surprising" that the site is "riddled" with rogue applications and viral scams, according to Cluley.

The majority of the security threats facing Facebook users come from phishing scams and rogue Facebook apps and not attackers trying to breach Facebook servers or hijack the log-in system. The scams range from the oft-requested "dislike" button to an application that promises to show users who is viewing their profile. Instead of the promised app, users are shown a survey scam and are directed to a site that downloads malware onto the computer, or to a phishing page asking for sensitive information.

"Why wait until regulators force your hand on privacy?" Cluley asked, noting that users are saying they want these issues resolved.

On Twitter, many users agreed with the letter and added other suggestions, such as actually removing user data when an account is deleted.